Please don't tell anyone about this commit. It's a secret.

[ildyria]

@luuhung1217 thank you for that one. :')

Summary by CodeRabbit

• Bug Fixes
  • Strengthened secure image link handling to reject invalid and path-traversal URL attempts (including encoded traversal and unsafe separators).
  • Improved file target resolution to safely determine the local path before serving content.
• Tests
  • Added a test ensuring traversal-style image URLs are blocked and return an error response.
• Chores
  • Bumped the application version and refreshed cache during the migration.
  • Updated the production container dependencies to include libssh2-1t64.
• Documentation
  • Updated the recorded version in version.md.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d7b4e54e-5d1b-479f-8e30-d72b48f32d97

📥 Commits

Reviewing files that changed from the base of the PR and between 573ef0e and c36710b.

📒 Files selected for processing (1)

• Dockerfile

---

📝 Walkthrough

Walkthrough

SecurePathController now validates incoming paths, rejects traversal-like input, and resolves files with Safe\realpath before serving them. A new migration bumps the stored version, version.md is updated to 7.6.4, and the production image adds libssh2-1t64.

Changes

Secure path handling

Layer / File(s)	Summary
Path prevalidation app/Http/Controllers/SecurePathController.php, tests/Feature_v2/SecureImageLinksTest.php	prevalidation_path rejects null values and traversal-like substrings, and the feature test asserts 418 for a mutated ../.env request.
Safe realpath resolution app/Http/Controllers/SecurePathController.php	The controller imports Safe\Exceptions\FilesystemException and Safe\realpath, and uses Safe\realpath to resolve the storage path before prefix and file-existence checks.

Release updates

Layer / File(s)	Summary
Version migration database/migrations/2026_06_26_173103_bump_version070604.php, version.md, Dockerfile	A new migration updates configs.version to 070604, clears cache on success, version.md is incremented to 7.6.4, and the production image adds libssh2-1t64.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped through paths with careful nose,
And dodged the .. that danger grows.
Cache cleared, version ticked ahead,
While 418 kept worms in bed.

🚥 Pre-merge checks | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

tests/Feature_v2/SecureImageLinksTest.php (1)

125-132: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Cover every rejected traversal sequence.

The production helper rejects .., %2e, %2f, and \, but this test only exercises ../.env. A small data provider would lock the full security contract.

🧪 Proposed test expansion

+	/**
+	 * `@return` array<string, array{string}>
+	 */
+	public static function forbiddenPathProvider(): array
+	{
+		return [
+			'parent traversal' => ['../.env'],
+			'encoded dot' => ['%2e%2e/.env'],
+			'encoded slash' => ['..%2f.env'],
+			'backslash' => ['..\\.env'],
+		];
+	}
+
+	/**
+	 * `@dataProvider` forbiddenPathProvider
+	 */
-	public function testPathTraversalIsForbidden(): void
+	public function testPathTraversalIsForbidden(string $forbidden_path): void
 	{
 		$this->setTemporaryLink();
 		$path = URL::route('image', ['path' => 'c3/3d/c661c594a5a781cd44db06828783.png']);
-		$traversal_path = str_replace('c3/3d/c661c594a5a781cd44db06828783.png', '../.env', $path);
+		$traversal_path = str_replace('c3/3d/c661c594a5a781cd44db06828783.png', $forbidden_path, $path);
 		$response = $this->actingAs($this->userMayUpload1)->get($traversal_path);
 		$this->assertStatus($response, 418);
 	}

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0e9b9482-aeb9-421c-a4f6-739f000e3ebc

📥 Commits

Reviewing files that changed from the base of the PR and between 51be8c6 and 36e9b14.

📒 Files selected for processing (2)

• app/Http/Controllers/SecurePathController.php
• tests/Feature_v2/SecureImageLinksTest.php

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.41%. Comparing base (51be8c6) to head (c36710b).

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.